If you’re using one of these models, it’s highly recommended that you replace your NAS system with one that’s still receiving patches from the manufacturer. If that isn’t possible right now, Netsecfish suggests restricting access to your NAS settings menu/interface to only trusted IP addresses. You could also isolate your NAS from the public internet to ensure that only authorized users can interact with it.
Emphasis mine, regardless of this incident, even with a brand new supported model, it shouldn’t be exposed to the internet. Half the reason these security issues are such a big deal is because manufacturers wanted to make things simple and designed it to sit on the open internet, so they wouldn’t have to deal with support requests. Now their customers are exposed because of poor recommendations and the lack of updates.
Still though, Dynamic DNS points to an external IP address, which you’d have your NAS exposed on a public port. This is the flaw in the design which allows remote execution of this exploit.
If you need remote access to the NAS, it should not be publicly exposed and should require a VPN to access. That way if there is an issue or misconfiguration, everyone on the internet can’t exploit it easily.
Emphasis mine, regardless of this incident, even with a brand new supported model, it shouldn’t be exposed to the internet. Half the reason these security issues are such a big deal is because manufacturers wanted to make things simple and designed it to sit on the open internet, so they wouldn’t have to deal with support requests. Now their customers are exposed because of poor recommendations and the lack of updates.
Exactly!
If you need external access, use an external access infrastructure that’s designed for that purpose, with controls and monitoring.
who the fuck even still has an exposed IPv4 address anyway, those are fucking expensive since we ran out. I couldn’t expose my network if I tried.
Dynamic DNS has solved that for 20+ years. Just need a domain name, and a utility to update the IP when it changes.
That said, my IP hasn’t changed in over 5 years now.
Dynamic DNS is useless if you’re on CGNAT.
Still though, Dynamic DNS points to an external IP address, which you’d have your NAS exposed on a public port. This is the flaw in the design which allows remote execution of this exploit.
If you need remote access to the NAS, it should not be publicly exposed and should require a VPN to access. That way if there is an issue or misconfiguration, everyone on the internet can’t exploit it easily.
Its free, so why the fuck not? Why the hassle with ddns, wich funnily enough is also free with my hoster/registra